lokibot | 66896b1e0185fe478676b2efc089442230577e7b7b3d62eed4604adbe829f8d9 | Triage

Submit
Reports

Overview

overview

Static

static

Invoice PG...6.xlsx

windows7_x64

Invoice PG...6.xlsx

windows10_x64

1

Sharing

General

Target

Invoice PG 008946.xlsx
Size

1.2MB
Sample

210727-4b4j1waq16
MD5

84ea29c7d6a9ed32225d28bb8f54aa9c
SHA1

c75c6394dfa978671c5ed147ce93a2beec1f097d
SHA256

66896b1e0185fe478676b2efc089442230577e7b7b3d62eed4604adbe829f8d9
SHA512

9bf2f046d7dc821df3342b072ace1ebf5321af72807a4e0100df4fd698e4d2e9459690a987437779493544c9c4dff1332b2332958a36022ab4c54a0cd3946432

Score

10^/10

lokibot spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

Invoice PG 008946.xlsx

Resource

win7v20210408

lokibot spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Invoice PG 008946.xlsx

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

lokibot

C2

http://185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Invoice PG 008946.xlsx
- Size
  
  1.2MB
- MD5
  
  84ea29c7d6a9ed32225d28bb8f54aa9c
- SHA1
  
  c75c6394dfa978671c5ed147ce93a2beec1f097d
- SHA256
  
  66896b1e0185fe478676b2efc089442230577e7b7b3d62eed4604adbe829f8d9
- SHA512
  
  9bf2f046d7dc821df3342b072ace1ebf5321af72807a4e0100df4fd698e4d2e9459690a987437779493544c9c4dff1332b2332958a36022ab4c54a0cd3946432
Score

10^/10

lokibot spyware stealer suricata trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- CustAttr .NET packer
  Detects CustAttr .NET packer in memory.
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotspywarestealersuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy